From 77037426547dac91a16a1f4db499101f0222b463 Mon Sep 17 00:00:00 2001 From: CentOS Buildsys Date: Mar 19 2014 20:47:47 +0000 Subject: import openssh-6.4p1-8.el7.src.rpm --- diff --git a/SOURCES/openssh-6.2p2-dont-test-ecdsa-521-keys.patch b/SOURCES/openssh-6.2p2-dont-test-ecdsa-521-keys.patch deleted file mode 100644 index 8404c20..0000000 --- a/SOURCES/openssh-6.2p2-dont-test-ecdsa-521-keys.patch +++ /dev/null @@ -1,47 +0,0 @@ -diff -up openssh-6.2p2/configure.ac.ecc openssh-6.2p2/configure.ac ---- openssh-6.2p2/configure.ac.ecc 2013-06-12 15:53:42.507017657 +0200 -+++ openssh-6.2p2/configure.ac 2013-06-12 15:53:42.534017598 +0200 -@@ -2512,7 +2512,7 @@ AC_SUBST([TEST_SSH_SHA256]) - - # Check complete ECC support in OpenSSL - AC_MSG_CHECKING([whether OpenSSL has complete ECC support]) --AC_LINK_IFELSE( -+AC_RUN_IFELSE( - [AC_LANG_PROGRAM([[ - #include - #include -@@ -2524,8 +2524,9 @@ AC_LINK_IFELSE( - # error "OpenSSL < 0.9.8g has unreliable ECC code" - #endif - ]], [[ -- EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); -+ EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1); - const EVP_MD *m = EVP_sha512(); /* We need this too */ -+ exit (e == NULL || m == NULL); - ]])], - [ - AC_MSG_RESULT([yes]) -diff -up openssh-6.2p2/regress/kextype.sh.ecc openssh-6.2p2/regress/kextype.sh ---- openssh-6.2p2/regress/kextype.sh.ecc 2013-06-12 16:06:39.718376529 +0200 -+++ openssh-6.2p2/regress/kextype.sh 2013-06-12 16:06:47.587343883 +0200 -@@ -8,7 +8,7 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak - cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak - - if test "$TEST_SSH_ECC" = "yes"; then -- kextypes="ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521" -+ kextypes="ecdh-sha2-nistp256 ecdh-sha2-nistp384" - fi - if test "$TEST_SSH_SHA256" = "yes"; then - kextypes="$kextypes diffie-hellman-group-exchange-sha256" -diff -up openssh-6.2p2/regress/keytype.sh.ecc openssh-6.2p2/regress/keytype.sh ---- openssh-6.2p2/regress/keytype.sh.ecc 2012-02-15 08:01:42.000000000 +0100 -+++ openssh-6.2p2/regress/keytype.sh 2013-06-12 15:53:42.534017598 +0200 -@@ -13,7 +13,7 @@ cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak - - ktypes="dsa-1024 rsa-2048 rsa-3072" - if test "$TEST_SSH_ECC" = "yes"; then -- ktypes="$ktypes ecdsa-256 ecdsa-384 ecdsa-521" -+ ktypes="$ktypes ecdsa-256 ecdsa-384" - fi - - for kt in $ktypes; do diff --git a/SOURCES/openssh-6.3p1-fips.patch b/SOURCES/openssh-6.3p1-fips.patch index acf4e82..6a5a332 100644 --- a/SOURCES/openssh-6.3p1-fips.patch +++ b/SOURCES/openssh-6.3p1-fips.patch @@ -527,9 +527,9 @@ diff -up openssh-6.3p1/sshconnect2.c.fips openssh-6.3p1/sshconnect2.c if (options.hostkeyalgorithms != NULL) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = options.hostkeyalgorithms; -diff -up openssh-6.3p1/sshd.c.fips openssh-6.3p1/sshd.c ---- openssh-6.3p1/sshd.c.fips 2013-10-11 22:24:32.842031223 +0200 -+++ openssh-6.3p1/sshd.c 2013-10-11 22:24:32.873031077 +0200 +diff -up openssh-6.4p1/sshd.c.fips openssh-6.4p1/sshd.c +--- openssh-6.4p1/sshd.c.fips 2014-01-27 16:20:12.751358484 +0100 ++++ openssh-6.4p1/sshd.c 2014-01-27 16:21:12.961052163 +0100 @@ -76,6 +76,8 @@ #include #include @@ -539,22 +539,26 @@ diff -up openssh-6.3p1/sshd.c.fips openssh-6.3p1/sshd.c #include "openbsd-compat/openssl-compat.h" #ifdef HAVE_SECUREWARE -@@ -1450,6 +1452,14 @@ main(int ac, char **av) +@@ -1450,6 +1452,18 @@ main(int ac, char **av) #endif __progname = ssh_get_progname(av[0]); + SSLeay_add_all_algorithms(); + if (access("/etc/system-fips", F_OK) == 0) -+ if (! FIPSCHECK_verify(NULL, NULL)) -+ if (FIPS_mode()) -+ fatal("FIPS integrity verification test failed."); ++ if (! FIPSCHECK_verify(NULL, NULL)) { ++ openlog(__progname, LOG_PID, LOG_AUTHPRIV); ++ if (FIPS_mode()) { ++ syslog(LOG_CRIT, "FIPS integrity verification test failed."); ++ cleanup_exit(255); ++ } + else -+ logit("FIPS integrity verification test failed."); -+ ++ syslog(LOG_INFO, "FIPS integrity verification test failed."); ++ closelog(); ++ } /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ saved_argc = ac; rexec_argc = ac; -@@ -1601,8 +1611,6 @@ main(int ac, char **av) +@@ -1601,8 +1615,6 @@ main(int ac, char **av) else closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); @@ -563,7 +567,7 @@ diff -up openssh-6.3p1/sshd.c.fips openssh-6.3p1/sshd.c /* If requested, redirect the logs to the specified logfile. */ if (logfile != NULL) { log_redirect_stderr_to(logfile); -@@ -1773,6 +1781,10 @@ main(int ac, char **av) +@@ -1773,6 +1785,10 @@ main(int ac, char **av) debug("private host key: #%d type %d %s", i, keytype, key_type(key ? key : pubkey)); } @@ -574,7 +578,7 @@ diff -up openssh-6.3p1/sshd.c.fips openssh-6.3p1/sshd.c if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { logit("Disabling protocol version 1. Could not load host key"); options.protocol &= ~SSH_PROTO_1; -@@ -1936,6 +1948,10 @@ main(int ac, char **av) +@@ -1936,6 +1952,10 @@ main(int ac, char **av) /* Initialize the random number generator. */ arc4random_stir(); @@ -585,7 +589,7 @@ diff -up openssh-6.3p1/sshd.c.fips openssh-6.3p1/sshd.c /* Chdir to the root directory so that the current disk can be unmounted if desired. */ if (chdir("/") == -1) -@@ -2498,6 +2514,9 @@ do_ssh2_kex(void) +@@ -2498,6 +2518,9 @@ do_ssh2_kex(void) if (options.ciphers != NULL) { myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; @@ -595,7 +599,7 @@ diff -up openssh-6.3p1/sshd.c.fips openssh-6.3p1/sshd.c } myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); -@@ -2507,6 +2526,9 @@ do_ssh2_kex(void) +@@ -2507,6 +2530,9 @@ do_ssh2_kex(void) if (options.macs != NULL) { myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; diff --git a/SOURCES/openssh-6.3p1-keycat.patch b/SOURCES/openssh-6.3p1-keycat.patch index 90cfb7e..6105d09 100644 --- a/SOURCES/openssh-6.3p1-keycat.patch +++ b/SOURCES/openssh-6.3p1-keycat.patch @@ -8,7 +8,7 @@ diff -up openssh-6.3p1/HOWTO.ssh-keycat.keycat openssh-6.3p1/HOWTO.ssh-keycat + +To use ssh-keycat, set these options in /etc/ssh/sshd_config file: + AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat -+ AuthorizedKeysCommandRunAs root ++ AuthorizedKeysCommandUser root + +Do not forget to enable public key authentication: + PubkeyAuthentication yes diff --git a/SOURCES/openssh-6.3p1-ldap.patch b/SOURCES/openssh-6.3p1-ldap.patch index 994ef59..052973c 100644 --- a/SOURCES/openssh-6.3p1-ldap.patch +++ b/SOURCES/openssh-6.3p1-ldap.patch @@ -759,10 +759,9 @@ diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h + +#endif /* LDAPBODY_H */ + -diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c ---- openssh-6.2p2/ldapconf.c.ldap 2013-06-07 15:10:05.601942693 +0200 -+++ openssh-6.2p2/ldapconf.c 2013-06-07 15:10:24.928857566 +0200 -@@ -0,0 +1,691 @@ +--- openssh-6.4p1/ldapconf.c.ldap 2013-11-26 10:31:03.513794385 +0100 ++++ openssh-6.4p1/ldapconf.c 2013-11-26 10:38:15.474635149 +0100 +@@ -0,0 +1,720 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* + * Copyright (c) 2009 Jan F. Chadima. All rights reserved. @@ -886,6 +885,35 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c + return lBadOption; +} + ++/* Characters considered whitespace in strsep calls. */ ++#define WHITESPACE " \t\r\n" ++ ++/* return next token in configuration line */ ++static char * ++ldap_strdelim(char **s) ++{ ++ char *old; ++ int wspace = 0; ++ ++ if (*s == NULL) ++ return NULL; ++ ++ old = *s; ++ ++ *s = strpbrk(*s, WHITESPACE); ++ if (*s == NULL) ++ return (old); ++ ++ *s[0] = '\0'; ++ ++ /* Skip any extra whitespace after first token */ ++ *s += strspn(*s + 1, WHITESPACE) + 1; ++ if (*s[0] == '=' && !wspace) ++ *s += strspn(*s + 1, WHITESPACE) + 1; ++ ++ return (old); ++} ++ +/* + * Processes a single option line as used in the configuration files. This + * only sets those values that have not already been set. @@ -909,11 +937,11 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c + + s = line; + /* Get the keyword. (Each line is supposed to begin with a keyword). */ -+ if ((keyword = strdelim(&s)) == NULL) ++ if ((keyword = ldap_strdelim(&s)) == NULL) + return 0; + /* Ignore leading whitespace. */ + if (*keyword == '\0') -+ keyword = strdelim(&s); ++ keyword = ldap_strdelim(&s); + if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#') + return 0; + @@ -949,7 +977,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c + case lBindPW: + charptr = &options.bindpw; +parse_string: -+ arg = strdelim(&s); ++ arg = ldap_strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", filename, linenum); + if (*charptr == NULL) @@ -962,7 +990,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c + + case lScope: + intptr = &options.scope; -+ arg = strdelim(&s); ++ arg = ldap_strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum); + value = 0; /* To avoid compiler warning... */ @@ -980,7 +1008,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c + + case lDeref: + intptr = &options.scope; -+ arg = strdelim(&s); ++ arg = ldap_strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum); + value = 0; /* To avoid compiler warning... */ @@ -1001,7 +1029,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c + case lPort: + intptr = &options.port; +parse_int: -+ arg = strdelim(&s); ++ arg = ldap_strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", filename, linenum); + if (arg[0] < '0' || arg[0] > '9') @@ -1018,7 +1046,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c + case lTimeLimit: + intptr = &options.timelimit; +parse_time: -+ arg = strdelim(&s); ++ arg = ldap_strdelim(&s); + if (!arg || *arg == '\0') + fatal("%s line %d: missing time value.", + filename, linenum); @@ -1039,7 +1067,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c + + case lBind_Policy: + intptr = &options.bind_policy; -+ arg = strdelim(&s); ++ arg = ldap_strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum); + value = 0; /* To avoid compiler warning... */ @@ -1058,7 +1086,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c + + case lSSL: + intptr = &options.ssl; -+ arg = strdelim(&s); ++ arg = ldap_strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum); + value = 0; /* To avoid compiler warning... */ @@ -1077,7 +1105,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c + case lReferrals: + intptr = &options.referrals; +parse_flag: -+ arg = strdelim(&s); ++ arg = ldap_strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing yes/no argument.", filename, linenum); + value = 0; /* To avoid compiler warning... */ @@ -1097,7 +1125,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c + + case lTLS_CheckPeer: + intptr = &options.tls_checkpeer; -+ arg = strdelim(&s); ++ arg = ldap_strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum); + value = 0; /* To avoid compiler warning... */ @@ -1171,7 +1199,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c + } + + /* Check that there is no garbage at end of line. */ -+ if ((arg = strdelim(&s)) != NULL && *arg != '\0') { ++ if ((arg = ldap_strdelim(&s)) != NULL && *arg != '\0') { + fatal("%.200s line %d: garbage at end of line; \"%.200s\".", + filename, linenum, arg); + } diff --git a/SOURCES/openssh-6.3p1-redhat.patch b/SOURCES/openssh-6.3p1-redhat.patch index 5b1ec1d..d85244d 100644 --- a/SOURCES/openssh-6.3p1-redhat.patch +++ b/SOURCES/openssh-6.3p1-redhat.patch @@ -58,6 +58,18 @@ diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 +@@ -21,9 +25,9 @@ + # HostKey for protocol version 1 + #HostKey /etc/ssh/ssh_host_key + # HostKeys for protocol version 2 +-#HostKey /etc/ssh/ssh_host_rsa_key ++HostKey /etc/ssh/ssh_host_rsa_key + #HostKey /etc/ssh/ssh_host_dsa_key +-#HostKey /etc/ssh/ssh_host_ecdsa_key ++HostKey /etc/ssh/ssh_host_ecdsa_key + + # Lifetime and size of ephemeral version 1 server key + #KeyRegenerationInterval 1h @@ -35,6 +39,7 @@ # Logging # obsoletes QuietMode and FascistLogging diff --git a/SOURCES/openssh-6.4p1-3des-dh-size.patch b/SOURCES/openssh-6.4p1-3des-dh-size.patch new file mode 100644 index 0000000..a2bedec --- /dev/null +++ b/SOURCES/openssh-6.4p1-3des-dh-size.patch @@ -0,0 +1,144 @@ +diff -U0 openssh-6.4p1/ChangeLog.3des-dh-size openssh-6.4p1/ChangeLog +--- openssh-6.4p1/ChangeLog.3des-dh-size 2014-01-28 14:15:25.178358616 +0100 ++++ openssh-6.4p1/ChangeLog 2014-01-28 14:18:24.678444650 +0100 +@@ -0,0 +1,15 @@ ++20140126 ++ - OpenBSD CVS Sync ++ - dtucker@cvs.openbsd.org 2014/01/25 10:12:50 ++ [cipher.c cipher.h kex.c kex.h kexgexc.c] ++ Add a special case for the DH group size for 3des-cbc, which has an ++ effective strength much lower than the key size. This causes problems ++ with some cryptlib implementations, which don't support group sizes larger ++ than 4k but also don't use the largest group size it does support as ++ specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, ++ reduced by me with input from Markus. ok djm@ markus@ ++ - markus@cvs.openbsd.org 2014/01/25 20:35:37 ++ [kex.c] ++ dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ++ ok dtucker@, noted by mancha ++ +diff -up openssh-6.4p1/cipher.c.3des-dh-size openssh-6.4p1/cipher.c +--- openssh-6.4p1/cipher.c.3des-dh-size 2014-01-28 14:15:25.101359008 +0100 ++++ openssh-6.4p1/cipher.c 2014-01-28 14:17:48.119630792 +0100 +@@ -1,4 +1,4 @@ +-/* $OpenBSD: cipher.c,v 1.89 2013/05/17 00:13:13 djm Exp $ */ ++/* $OpenBSD: cipher.c,v 1.94 2014/01/25 10:12:50 dtucker Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -144,6 +144,14 @@ cipher_keylen(const Cipher *c) + } + + u_int ++cipher_seclen(const Cipher *c) ++{ ++ if (strcmp("3des-cbc", c->name) == 0) ++ return 14; ++ return cipher_keylen(c); ++} ++ ++u_int + cipher_authlen(const Cipher *c) + { + return (c->auth_len); +diff -up openssh-6.4p1/cipher.h.3des-dh-size openssh-6.4p1/cipher.h +--- openssh-6.4p1/cipher.h.3des-dh-size 2014-01-28 14:15:25.178358616 +0100 ++++ openssh-6.4p1/cipher.h 2014-01-28 14:17:17.858784879 +0100 +@@ -1,4 +1,4 @@ +-/* $OpenBSD: cipher.h,v 1.40 2013/04/19 01:06:50 djm Exp $ */ ++/* $OpenBSD: cipher.h,v 1.44 2014/01/25 10:12:50 dtucker Exp $ */ + + /* + * Author: Tatu Ylonen +@@ -95,6 +95,7 @@ void cipher_cleanup(CipherContext *); + int cipher_set_key_string(CipherContext *, const Cipher *, const char *, int); + u_int cipher_blocksize(const Cipher *); + u_int cipher_keylen(const Cipher *); ++u_int cipher_seclen(const Cipher *); + u_int cipher_authlen(const Cipher *); + u_int cipher_ivlen(const Cipher *); + u_int cipher_is_cbc(const Cipher *); +diff -up openssh-6.4p1/kex.c.3des-dh-size openssh-6.4p1/kex.c +--- openssh-6.4p1/kex.c.3des-dh-size 2014-01-28 14:15:25.165358682 +0100 ++++ openssh-6.4p1/kex.c 2014-01-28 14:19:22.038152586 +0100 +@@ -1,4 +1,4 @@ +-/* $OpenBSD: kex.c,v 1.91 2013/05/17 00:13:13 djm Exp $ */ ++/* $OpenBSD: kex.c,v 1.97 2014/01/25 20:35:37 markus Exp $ */ + /* + * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. + * +@@ -494,7 +494,7 @@ kex_choose_conf(Kex *kex) + char **my, **peer; + char **cprop, **sprop; + int nenc, nmac, ncomp; +- u_int mode, ctos, need, authlen; ++ u_int mode, ctos, need, dh_need, authlen; + int first_kex_follows, type; + + my = kex_buf2prop(&kex->my, NULL); +@@ -545,20 +545,21 @@ kex_choose_conf(Kex *kex) + choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]); + choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], + sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]); +- need = 0; ++ need = dh_need = 0; + for (mode = 0; mode < MODE_MAX; mode++) { + newkeys = kex->newkeys[mode]; +- if (need < newkeys->enc.key_len) +- need = newkeys->enc.key_len; +- if (need < newkeys->enc.block_size) +- need = newkeys->enc.block_size; +- if (need < newkeys->enc.iv_len) +- need = newkeys->enc.iv_len; +- if (need < newkeys->mac.key_len) +- need = newkeys->mac.key_len; ++ need = MAX(need, newkeys->enc.key_len); ++ need = MAX(need, newkeys->enc.block_size); ++ need = MAX(need, newkeys->enc.iv_len); ++ need = MAX(need, newkeys->mac.key_len); ++ dh_need = MAX(dh_need, cipher_seclen(newkeys->enc.cipher)); ++ dh_need = MAX(dh_need, newkeys->enc.block_size); ++ dh_need = MAX(dh_need, newkeys->enc.iv_len); ++ dh_need = MAX(dh_need, newkeys->mac.key_len); + } + /* XXX need runden? */ + kex->we_need = need; ++ kex->dh_need = dh_need; + + /* ignore the next message if the proposals do not match */ + if (first_kex_follows && !proposals_match(my, peer) && +diff -up openssh-6.4p1/kexgexc.c.3des-dh-size openssh-6.4p1/kexgexc.c +--- openssh-6.4p1/kexgexc.c.3des-dh-size 2014-01-28 14:15:25.165358682 +0100 ++++ openssh-6.4p1/kexgexc.c 2014-01-28 14:19:09.718215323 +0100 +@@ -1,4 +1,4 @@ +-/* $OpenBSD: kexgexc.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */ ++/* $OpenBSD: kexgexc.c,v 1.16 2014/01/25 10:12:50 dtucker Exp $ */ + /* + * Copyright (c) 2000 Niels Provos. All rights reserved. + * Copyright (c) 2001 Markus Friedl. All rights reserved. +@@ -60,7 +60,7 @@ kexgex_client(Kex *kex) + int min, max, nbits; + DH *dh; + +- nbits = dh_estimate(kex->we_need * 8); ++ nbits = dh_estimate(kex->dh_need * 8); + + if (datafellows & SSH_OLD_DHGEX) { + /* Old GEX request */ +diff -up openssh-6.4p1/kex.h.3des-dh-size openssh-6.4p1/kex.h +--- openssh-6.4p1/kex.h.3des-dh-size 2014-01-28 14:15:25.142358799 +0100 ++++ openssh-6.4p1/kex.h 2014-01-28 14:18:49.431318614 +0100 +@@ -1,4 +1,4 @@ +-/* $OpenBSD: kex.h,v 1.56 2013/07/19 07:37:48 markus Exp $ */ ++/* $OpenBSD: kex.h,v 1.61 2014/01/25 10:12:50 dtucker Exp $ */ + + /* + * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. +@@ -125,6 +125,7 @@ struct Kex { + u_int session_id_len; + Newkeys *newkeys[MODE_MAX]; + u_int we_need; ++ u_int dh_need; + int server; + char *name; + int hostkey_type; diff --git a/SOURCES/openssh-6.4p1-FIPS-mode-SP800-131A.patch b/SOURCES/openssh-6.4p1-FIPS-mode-SP800-131A.patch new file mode 100644 index 0000000..cf632d8 --- /dev/null +++ b/SOURCES/openssh-6.4p1-FIPS-mode-SP800-131A.patch @@ -0,0 +1,206 @@ +diff --git a/dh.h b/dh.h +index 48f7b68..9ff39f4 100644 +--- a/dh.h ++++ b/dh.h +@@ -45,6 +45,7 @@ int dh_estimate(int); + + /* Min and max values from RFC4419. */ + #define DH_GRP_MIN 1024 ++#define DH_GRP_MIN_FIPS 2048 + #define DH_GRP_MAX 8192 + + /* +diff --git a/kex.c b/kex.c +index a468805..3a0eb16 100644 +--- a/kex.c ++++ b/kex.c +@@ -34,6 +34,7 @@ + #include + + #include ++#include + + #include "xmalloc.h" + #include "ssh2.h" +@@ -93,6 +94,20 @@ static const struct kexalg kexalgs[] = { + { NULL, -1, -1, NULL}, + }; + ++static const struct kexalg kexalgs_fips[] = { ++ { KEX_DH14, KEX_DH_GRP14_SHA1, 0, EVP_sha1 }, ++ { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, EVP_sha1 }, ++#ifdef HAVE_EVP_SHA256 ++ { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, EVP_sha256 }, ++#endif ++#ifdef OPENSSL_HAS_ECC ++ { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, NID_X9_62_prime256v1, EVP_sha256 }, ++ { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, EVP_sha384 }, ++ { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, EVP_sha512 }, ++#endif ++ { NULL, -1, -1, NULL}, ++}; ++ + char * + kex_alg_list(void) + { +@@ -116,7 +131,7 @@ kex_alg_by_name(const char *name) + { + const struct kexalg *k; + +- for (k = kexalgs; k->name != NULL; k++) { ++ for (k = (FIPS_mode() ? kexalgs_fips : kexalgs); k->name != NULL; k++) { + if (strcmp(k->name, name) == 0) + return k; + #ifdef GSSAPI +@@ -141,7 +156,10 @@ kex_names_valid(const char *names) + for ((p = strsep(&cp, ",")); p && *p != '\0'; + (p = strsep(&cp, ","))) { + if (kex_alg_by_name(p) == NULL) { +- error("Unsupported KEX algorithm \"%.100s\"", p); ++ if (FIPS_mode()) ++ error("\"%.100s\" is not allowed in FIPS mode", p); ++ else ++ error("Unsupported KEX algorithm \"%.100s\"", p); + free(s); + return 0; + } +diff --git a/kexecdhc.c b/kexecdhc.c +index 6193836..d435f1f 100644 +--- a/kexecdhc.c ++++ b/kexecdhc.c +@@ -154,6 +154,7 @@ kexecdh_client(Kex *kex) + + kex_derive_keys(kex, hash, hashlen, shared_secret); + BN_clear_free(shared_secret); ++ memset(hash, 0, hashlen); + kex_finish(kex); + } + #else /* OPENSSL_HAS_ECC */ +diff --git a/kexecdhs.c b/kexecdhs.c +index 3a580aa..9a06905 100644 +--- a/kexecdhs.c ++++ b/kexecdhs.c +@@ -155,6 +155,7 @@ kexecdh_server(Kex *kex) + + kex_derive_keys(kex, hash, hashlen, shared_secret); + BN_clear_free(shared_secret); ++ memset(hash, 0, hashlen); + kex_finish(kex); + } + #else /* OPENSSL_HAS_ECC */ +diff --git a/kexgexc.c b/kexgexc.c +index 5a3be20..a931b6e 100644 +--- a/kexgexc.c ++++ b/kexgexc.c +@@ -26,6 +26,8 @@ + + #include "includes.h" + ++#include ++ + #include + + #include +@@ -64,13 +66,13 @@ kexgex_client(Kex *kex) + /* Old GEX request */ + packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD); + packet_put_int(nbits); +- min = DH_GRP_MIN; ++ min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN; + max = DH_GRP_MAX; + + debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits); + } else { + /* New GEX request */ +- min = DH_GRP_MIN; ++ min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN; + max = DH_GRP_MAX; + packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST); + packet_put_int(min); +diff --git a/kexgexs.c b/kexgexs.c +index 4e473fc..2ed49bd 100644 +--- a/kexgexs.c ++++ b/kexgexs.c +@@ -76,16 +76,16 @@ kexgex_server(Kex *kex) + omin = min = packet_get_int(); + onbits = nbits = packet_get_int(); + omax = max = packet_get_int(); +- min = MAX(DH_GRP_MIN, min); ++ min = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min); + max = MIN(DH_GRP_MAX, max); +- nbits = MAX(DH_GRP_MIN, nbits); ++ nbits = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, nbits); + nbits = MIN(DH_GRP_MAX, nbits); + break; + case SSH2_MSG_KEX_DH_GEX_REQUEST_OLD: + debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received"); + onbits = nbits = packet_get_int(); + /* unused for old GEX */ +- omin = min = DH_GRP_MIN; ++ omin = min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN; + omax = max = DH_GRP_MAX; + break; + default: +diff --git a/myproposal.h b/myproposal.h +index ee69ea2..1b68c5b 100644 +--- a/myproposal.h ++++ b/myproposal.h +@@ -72,6 +72,12 @@ + "diffie-hellman-group14-sha1," \ + "diffie-hellman-group1-sha1" + ++#define KEX_DEFAULT_KEX_FIPS \ ++ KEX_ECDH_METHODS \ ++ KEX_SHA256_METHODS \ ++ "diffie-hellman-group-exchange-sha1," \ ++ "diffie-hellman-group14-sha1" ++ + #define KEX_DEFAULT_PK_ALG \ + HOSTKEY_ECDSA_CERT_METHODS \ + "ssh-rsa-cert-v01@openssh.com," \ +diff --git a/ssh-keygen.c b/ssh-keygen.c +index cac6762..2569016 100644 +--- a/ssh-keygen.c ++++ b/ssh-keygen.c +@@ -183,8 +183,14 @@ type_bits_valid(int type, u_int32_t *bitsp) + fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); + exit(1); + } +- if (type == KEY_DSA && *bitsp != 1024) ++ if (type == KEY_DSA && FIPS_mode()) ++ fatal("DSA keys are not allowed in FIPS mode"); ++ else if (type == KEY_DSA && *bitsp != 1024) + fatal("DSA keys must be 1024 bits"); ++ else if (type == KEY_RSA && bits < DEFAULT_BITS && FIPS_mode()) { ++ fprintf(stderr, "RSA keys must be at least %d bits in FIPS mode\n", DEFAULT_BITS); ++ exit(1); ++ } + else if (type != KEY_ECDSA && *bitsp < 768) + fatal("Key must at least be 768 bits"); + else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1) +diff --git a/sshconnect2.c b/sshconnect2.c +index 7e48880..3179d82 100644 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -231,6 +231,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) + } + if (options.kex_algorithms != NULL) + myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; ++ else if (FIPS_mode()) ++ myproposal[PROPOSAL_KEX_ALGS] = KEX_DEFAULT_KEX_FIPS; + + #ifdef GSSAPI + /* If we've got GSSAPI algorithms, then we also support the +diff --git a/sshd.c b/sshd.c +index 11adbf6..f5e98bc 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -2605,6 +2605,8 @@ do_ssh2_kex(void) + } + if (options.kex_algorithms != NULL) + myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; ++ else if (FIPS_mode()) ++ myproposal[PROPOSAL_KEX_ALGS] = KEX_DEFAULT_KEX_FIPS; + + if (options.rekey_limit || options.rekey_interval) + packet_set_rekey_limits((u_int32_t)options.rekey_limit, diff --git a/SOURCES/openssh-6.4p1-audit.patch b/SOURCES/openssh-6.4p1-audit.patch index 0c4ce54..77a6fa4 100644 --- a/SOURCES/openssh-6.4p1-audit.patch +++ b/SOURCES/openssh-6.4p1-audit.patch @@ -2148,6 +2148,15 @@ diff -up openssh-6.3p1/sshd.c.audit openssh-6.3p1/sshd.c } /* Certs do not need demotion */ } +@@ -652,7 +703,7 @@ privsep_preauth(Authctxt *authctxt) + + if (use_privsep == PRIVSEP_ON) + box = ssh_sandbox_init(); +- pid = fork(); ++ pmonitor->m_pid = pid = fork(); + if (pid == -1) { + fatal("fork of unprivileged child failed"); + } else if (pid != 0) { @@ -708,6 +759,8 @@ privsep_preauth(Authctxt *authctxt) } } @@ -2244,7 +2253,7 @@ diff -up openssh-6.3p1/sshd.c.audit openssh-6.3p1/sshd.c pmonitor->m_pid, strerror(errno)); } } -+ is_privsep_child = use_privsep && pmonitor != NULL && !mm_is_monitor(); ++ is_privsep_child = use_privsep && pmonitor != NULL && pmonitor->m_pid == 0; + if (sensitive_data.host_keys != NULL) + destroy_sensitive_data(is_privsep_child); + packet_destroy_all(1, is_privsep_child); diff --git a/SOURCES/openssh-6.4p1-fromto-remote.patch b/SOURCES/openssh-6.4p1-fromto-remote.patch new file mode 100644 index 0000000..4a7d849 --- /dev/null +++ b/SOURCES/openssh-6.4p1-fromto-remote.patch @@ -0,0 +1,16 @@ +diff --git a/scp.c b/scp.c +index d98fa67..25d347b 100644 +--- a/scp.c ++++ b/scp.c +@@ -638,7 +638,10 @@ toremote(char *targ, int argc, char **argv) + addargs(&alist, "%s", ssh_program); + addargs(&alist, "-x"); + addargs(&alist, "-oClearAllForwardings=yes"); +- addargs(&alist, "-n"); ++ if (isatty(fileno(stdin))) ++ addargs(&alist, "-t"); ++ else ++ addargs(&alist, "-n"); + for (j = 0; j < remote_remote_args.num; j++) { + addargs(&alist, "%s", + remote_remote_args.list[j]); diff --git a/SOURCES/openssh-6.4p1-ignore-bad-env-var.patch b/SOURCES/openssh-6.4p1-ignore-bad-env-var.patch new file mode 100644 index 0000000..3bb49c2 --- /dev/null +++ b/SOURCES/openssh-6.4p1-ignore-bad-env-var.patch @@ -0,0 +1,37 @@ +diff -U0 openssh-6.4p1/ChangeLog.bad-env-var openssh-6.4p1/ChangeLog +--- openssh-6.4p1/ChangeLog.bad-env-var 2014-03-19 21:37:36.270509907 +0100 ++++ openssh-6.4p1/ChangeLog 2014-03-19 21:37:36.276509878 +0100 +@@ -0,0 +1,7 @@ ++20140304 ++ - OpenBSD CVS Sync ++ - djm@cvs.openbsd.org 2014/03/03 22:22:30 ++ [session.c] ++ ignore enviornment variables with embedded '=' or '\0' characters; ++ spotted by Jann Horn; ok deraadt@ ++ +diff -up openssh-6.4p1/session.c.bad-env-var openssh-6.4p1/session.c +--- openssh-6.4p1/session.c.bad-env-var 2014-03-19 21:37:36.233510090 +0100 ++++ openssh-6.4p1/session.c 2014-03-19 21:37:36.277509873 +0100 +@@ -990,6 +990,11 @@ child_set_env(char ***envp, u_int *envsi + u_int envsize; + u_int i, namelen; + ++ if (strchr(name, '=') != NULL) { ++ error("Invalid environment variable \"%.100s\"", name); ++ return; ++ } ++ + /* + * If we're passed an uninitialized list, allocate a single null + * entry before continuing. +@@ -2255,8 +2260,8 @@ session_env_req(Session *s) + char *name, *val; + u_int name_len, val_len, i; + +- name = packet_get_string(&name_len); +- val = packet_get_string(&val_len); ++ name = packet_get_cstring(&name_len); ++ val = packet_get_cstring(&val_len); + packet_check_eom(); + + /* Don't set too many environment variables */ diff --git a/SOURCES/openssh-6.4p1-legacy-ssh-copy-id.patch b/SOURCES/openssh-6.4p1-legacy-ssh-copy-id.patch new file mode 100644 index 0000000..ba8d949 --- /dev/null +++ b/SOURCES/openssh-6.4p1-legacy-ssh-copy-id.patch @@ -0,0 +1,57 @@ +diff -up openssh-6.4p1/contrib/ssh-copy-id.1.legacy-ssh-copy-id openssh-6.4p1/contrib/ssh-copy-id.1 +--- openssh-6.4p1/contrib/ssh-copy-id.1.legacy-ssh-copy-id 2013-03-22 00:17:37.000000000 +0100 ++++ openssh-6.4p1/contrib/ssh-copy-id.1 2014-01-28 17:12:49.197542425 +0100 +@@ -180,6 +180,19 @@ should prove enlightening (N.B. the mode + .Fl W + option, rather than + .Xr nc 1 ) . ++.Sh ENVIRONMENT ++.Bl -tag -width Ds ++.Pp ++.It Pa SSH_COPY_ID_LEGACY ++If the ++.Cm SSH_COPY_ID_LEGACY ++environment variable is set, the ++.Nm ++is run in a legacy mode. In this mode, the ++.Nm ++doesn't check an existence of a private key and doesn't do remote checks ++of the remote server versions or if public keys are already installed. ++.El + .Sh "SEE ALSO" + .Xr ssh 1 , + .Xr ssh-agent 1 , +diff -up openssh-6.4p1/contrib/ssh-copy-id.legacy-ssh-copy-id openssh-6.4p1/contrib/ssh-copy-id +--- openssh-6.4p1/contrib/ssh-copy-id.legacy-ssh-copy-id 2013-06-05 14:48:45.000000000 +0200 ++++ openssh-6.4p1/contrib/ssh-copy-id 2014-01-28 17:11:51.538833032 +0100 +@@ -77,7 +77,7 @@ use_id_file() { + PUB_ID_FILE="$L_ID_FILE.pub" + fi + +- PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub) ++ [ "x$SSH_COPY_ID_LEGACY" != "x" ] || PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub) + + # check that the files are readable + for f in $PUB_ID_FILE $PRIV_ID_FILE ; do +@@ -243,7 +243,7 @@ populate_new_ids() { + printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2 + } + +-REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' "$@" 2>&1 | ++[ "x$SSH_COPY_ID_LEGACY" != "x" ] || REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' "$@" 2>&1 | + sed -ne 's/.*remote software version //p') + + case "$REMOTE_VERSION" in +@@ -268,7 +268,11 @@ case "$REMOTE_VERSION" in + ;; + *) + # Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect +- populate_new_ids 0 ++ if [ "x$SSH_COPY_ID_LEGACY" != "x" ]; then ++ NEW_IDS=`eval "$GET_ID"` ++ else ++ populate_new_ids 0 ++ fi + [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | ssh "$@" " + umask 077 ; + mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; diff --git a/SOURCES/openssh-6.4p1-ssh-keygen-V.patch b/SOURCES/openssh-6.4p1-ssh-keygen-V.patch new file mode 100644 index 0000000..c63df4d --- /dev/null +++ b/SOURCES/openssh-6.4p1-ssh-keygen-V.patch @@ -0,0 +1,23 @@ +diff -U0 openssh-6.4p1/ChangeLog.ssh-keygen-V openssh-6.4p1/ChangeLog +--- openssh-6.4p1/ChangeLog.ssh-keygen-V 2014-01-28 11:07:41.374758458 +0100 ++++ openssh-6.4p1/ChangeLog 2014-01-28 11:14:38.172631130 +0100 +@@ -0,0 +1,7 @@ ++20131023 ++ - djm@cvs.openbsd.org 2013/10/23 04:16:22 ++ [ssh-keygen.c] ++ Make code match documentation: relative-specified certificate expiry time ++ should be relative to current time and not the validity start time. ++ Reported by Petr Lautrbach; ok deraadt@ ++ +diff -up openssh-6.4p1/ssh-keygen.c.ssh-keygen-V openssh-6.4p1/ssh-keygen.c +--- openssh-6.4p1/ssh-keygen.c.ssh-keygen-V 2014-01-28 11:07:41.365758505 +0100 ++++ openssh-6.4p1/ssh-keygen.c 2014-01-28 11:07:41.375758453 +0100 +@@ -1747,7 +1747,7 @@ parse_cert_times(char *timespec) + cert_valid_from = parse_absolute_time(from); + + if (*to == '-' || *to == '+') +- cert_valid_to = parse_relative_time(to, cert_valid_from); ++ cert_valid_to = parse_relative_time(to, now); + else + cert_valid_to = parse_absolute_time(to); + diff --git a/SOURCES/sshd-keygen b/SOURCES/sshd-keygen index 012bb64..d54e4b9 100644 --- a/SOURCES/sshd-keygen +++ b/SOURCES/sshd-keygen @@ -4,7 +4,7 @@ # # The creation is controlled by the $AUTOCREATE_SERVER_KEYS environment # variable. -AUTOCREATE_SERVER_KEYS=RSAONLY +AUTOCREATE_SERVER_KEYS=NODSA # source function library . /etc/rc.d/init.d/functions @@ -96,7 +96,7 @@ do_ecdsa_keygen() { rm -f $ECDSA_KEY if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then chgrp ssh_keys $ECDSA_KEY - chmod 600 $ECDSA_KEY + chmod 640 $ECDSA_KEY chmod 644 $ECDSA_KEY.pub if [ -x /sbin/restorecon ]; then /sbin/restorecon $ECDSA_KEY.pub @@ -115,8 +115,9 @@ do_ecdsa_keygen() { if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then do_rsa_keygen if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then - do_rsa1_keygen - do_dsa_keygen do_ecdsa_keygen + if [ "x${AUTOCREATE_SERVER_KEYS}" != xNODSA ]; then + do_dsa_keygen + fi fi fi diff --git a/SOURCES/sshd.sysconfig b/SOURCES/sshd.sysconfig index 9a30a83..ddd7744 100644 --- a/SOURCES/sshd.sysconfig +++ b/SOURCES/sshd.sysconfig @@ -1,9 +1,11 @@ # Configuration file for the sshd service. -# The server keys are automatically generated if they ommited -# to change the automatic creation uncomment the approprite -# line. The default is RSAONLY +# The server keys are automatically generated if they omitted +# to change the automatic creation uncomment the appropriate +# line. The default is NODSA which means rsa and ecdsa keys are +# generated. +# AUTOCREATE_SERVER_KEYS=NODSA # AUTOCREATE_SERVER_KEYS=RSAONLY # AUTOCREATE_SERVER_KEYS=NO # AUTOCREATE_SERVER_KEYS=YES diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec index fe0d5d8..22093be 100644 --- a/SPECS/openssh.spec +++ b/SPECS/openssh.spec @@ -64,9 +64,9 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %define openssh_ver 6.4p1 -%define openssh_rel 1 +%define openssh_rel 8 %define pam_ssh_agent_ver 0.9.3 -%define pam_ssh_agent_rel 1 +%define pam_ssh_agent_rel 8 Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh @@ -182,8 +182,19 @@ Patch901: openssh-6.3p1-kuserok.patch Patch902: openssh-6.3p1-krb5-use-default_ccache_name.patch # increase the size of the Diffie-Hellman groups (#1010607) Patch903: openssh-6.3p1-increase-size-of-DF-groups.patch -# don't test ecdsa-521 keys (#969342) -Patch1000: openssh-6.2p2-dont-test-ecdsa-521-keys.patch +# FIPS mode - adjust the key echange DH groups and ssh-keygen according to SP800-131A (#1001748) +Patch904: openssh-6.4p1-FIPS-mode-SP800-131A.patch +# Run ssh-copy-id in the legacy mode when SSH_COPY_ID_LEGACY variable is set (#969375 +Patch905: openssh-6.4p1-legacy-ssh-copy-id.patch +# Use tty allocation for a remote scp (#985650) +Patch906: openssh-6.4p1-fromto-remote.patch +# ssh-keygen - relative-specified certificate expiry time should be relative to current time and +# not the validity start time (#1058234) +Patch907: openssh-6.4p1-ssh-keygen-V.patch +# use the size of security of 3des for DH (#1053107) +Patch908: openssh-6.4p1-3des-dh-size.patch +# ignore environment variables with embedded '=' or '\0' characters (#1077843) +Patch909: openssh-6.4p1-ignore-bad-env-var.patch License: BSD @@ -405,7 +416,12 @@ popd %patch901 -p1 -b .kuserok %patch902 -p1 -b .ccache_name %patch903 -p1 -b .dh -%patch1000 -p1 -b .ecc +%patch904 -p1 -b .SP800-131A +%patch905 -p1 -b .legacy-ssh-copy-id +%patch906 -p1 -b .fromto-remote +%patch907 -p1 -b .ssh-keygen-V +%patch908 -p1 -b .3des-dh-size +%patch909 -p1 -b .bad-env-var %if 0 # Nothing here yet @@ -720,6 +736,35 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Wed Mar 19 2014 Petr Lautrbach 6.4p1-8 + 0.9.3-8 +- ignore environment variables with embedded '=' or '\0' characters (#1077843) + +* Tue Jan 28 2014 Petr Lautrbach 6.4p1-7 + 0.9.3-8 +- log fipscheck verification message into syslog authpriv +- ssh-keygen - relative-specified certificate expiry time should be relative + to current time and not the validity start time (#1058234) +- use the size of security of 3des for DH (#1053107) +- ssh-copy-id.1 man page fix (#1058792) + +* Fri Jan 24 2014 Daniel Mach - 6.4p1-6 +- Mass rebuild 2014-01-24 + +* Mon Jan 20 2014 Petr Lautrbach 6.4p1-5 + 0.9.3-8 +- use tty allocation for a remote scp (#985650) +- run ssh-copy-id in the legacy mode when SSH_COPY_ID_LEGACY variable is set (#969375) +- FIPS mode - adjust the key echange DH groups and ssh-keygen according toSP800-131A (#1001748) + +* Fri Dec 27 2013 Daniel Mach - 6.4p1-4 +- Mass rebuild 2013-12-27 + +* Wed Dec 11 2013 Petr Lautrbach 6.4p1-3 + 0.9.3-8 +- sshd-keygen - use correct permissions on ecdsa host key (#1023945) +- use only rsa and ecdsa host keys by default + +* Tue Nov 26 2013 Petr Lautrbach 6.4p1-2 + 0.9.3-1 +- fix fatal() cleanup in the audit patch (#1029074) +- fix parsing logic of ldap.conf file (#1033662) + * Fri Nov 08 2013 Petr Lautrbach 6.4p1-1 + 0.9.3-1 - new upstream release